Privacy Policy

HeadshotsAI is operated by Bigorna Labs, Lda., a company registered in Portugal. For any privacy-related question, contact us at support@bigornalabs.com.

This policy explains what data we collect when you use HeadshotsAI, why we collect it, who we share it with, and how we keep it secure. It applies to everything you do on the site at the time of this policy's effective date.

We deliberately collect as little as possible.

• Your uploaded photo. The selfie you submit for headshot generation. Held only as long as it takes to generate your results (see section 5).
• Your email address. Captured at checkout so we can send you the download link and a receipt. We do not send marketing emails without separate, explicit opt-in.
• Payment information. Handled entirely by RevenueCat and Stripe. We never receive, see, or store your card number, CVV, or banking details. We do store a transaction reference so we can answer billing questions and handle chargebacks.
• Anonymous usage data. Pageviews, button clicks, and funnel events, with no personal identifiers attached.

The flow is short and contained:

1. You upload a selfie. It is transferred over HTTPS and written to Supabase Storage, where it is encrypted at rest.
2. We pass the image to Replicate's flux-kontext-apps/professional-headshot model for generation. Replicate processes the image on their infrastructure and returns the generated outputs.
3. We download those outputs, apply a server-side watermark to the previews, and store both the originals and the watermarked previews in Supabase Storage so you can review and purchase.

We use the following third-party processors:

• Supabase — image storage and database (EU region by default).
• Replicate — AI model execution.
• RevenueCat — payment orchestration.
• Stripe — payment processing.
• Resend — transactional email delivery (download links, receipts, support replies).
• Vercel — hosting and CDN.
• PostHog — privacy-respecting product analytics.

Each processor receives only the data they need to perform their specific function, and is bound by their own data-processing agreements and applicable law.

Your uploaded selfie and every generated headshot are permanently deleted within 24 hours of generation. This includes paid orders. There is no setting, opt-in, or paid tier that extends this window. Deletion happens automatically via a scheduled cleanup job we cannot bypass.

If you want to keep your headshots, download them within the 24-hour window. The link we email you is signed and time-limited; after it expires we cannot re-issue it because the underlying files no longer exist.

We never use your uploaded photos or generated headshots to train, fine-tune, or evaluate any AI model — ours or anyone else's.

Replicate's commercial API terms also prohibit them from training on inputs submitted through their paid endpoints, which is the integration we use. Your image is processed once, the result is returned, and the input is discarded on their side as well.

We use a small number of strictly necessary cookies to keep your generation session functional. We do not use third-party advertising cookies. Our analytics provider (PostHog) is configured to mask IP addresses and not to set persistent third-party identifiers.

If you are in the European Economic Area, you have the right to:

• Access the personal data we hold about you.
• Correct it if it is inaccurate.
• Request erasure. In practice this is largely automatic — your photos are erased within 24 hours regardless.
• Receive your data in a portable format.
• Object to processing or restrict it.
• Lodge a complaint with the Comissão Nacional de Proteção de Dados (Portugal) or your local supervisory authority.

To exercise any of these rights, email support@bigornalabs.com with the email address you used at checkout. We respond within 30 days.

If you are a California resident, you may request disclosure of the categories of personal information we have collected about you, and request deletion of that information. We do not sell personal data. Send requests to support@bigornalabs.com.

HeadshotsAI is not directed to and not intended for anyone under 16. We do not knowingly collect personal data from children. If you believe a child has used the service, contact us and we will delete any associated data immediately.

All data is transmitted over TLS and encrypted at rest in Supabase Storage. Generated download links are signed JWTs with a 24-hour expiry. Service-role credentials never leave our server environment.

We may update this policy as the product evolves. When we do, we update the "Last updated" date at the top of this page and, if the changes are material, we notify you via email if you are an active customer.

Questions, concerns, or formal data-protection requests: support@bigornalabs.com.